[jira] [Resolved] (THRIFT-5710) NodeJS header transport leaks headers between all instances

[Jens Geyer (Jira)]

     [ 
https://issues.apache.org/jira/browse/THRIFT-5710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer resolved THRIFT-5710.
--------------------------------
    Fix Version/s: 0.19.0
         Assignee: Nick Gavalas
       Resolution: Fixed

> NodeJS header transport leaks headers between all instances
> -----------------------------------------------------------
>
>                 Key: THRIFT-5710
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5710
>             Project: Thrift
>          Issue Type: Bug
>          Components: Node.js - Library
>    Affects Versions: 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0
>         Environment: This repros in all environments using the nodejs library.
>            Reporter: Nick Gavalas
>            Assignee: Nick Gavalas
>            Priority: Critical
>              Labels: bug, headers, vulnerability
>             Fix For: 0.19.0
>
>   Original Estimate: 24h
>          Time Spent: 40m
>  Remaining Estimate: 23h 20m
>
> The header transport in `nodejs` has `TBufferTransport` and 
> `TFramedTransport` improper extending the `THeaderTransport` prototype. The 
> intention was to use `THeaderTransport` as an abstract base class and have 
> concrete implementations in the other transports. In reality, every instance 
> of `TBufferTransport` and `TFramedTransport` actually share a single instance 
> of `THeaderTransport` being used as the prototype, which means that they all 
> share one object that stores headers that every instance simultaneously 
> mutates.
>  
> This leaks headers on both the read and the write paths: 
>  * You can write incorrect headers to a transport that has written headers 
> but hasn't flushed yet. This is especially troubling if the headers are used 
> for auth, because you're able to mix up requests and auth as the wrong 
> entity. (i.e., if two requests set an `Auth` header).
>  * You can read headers from other requests. They only clobber each other if 
> they have the same name, but the union of all seen headers is returned in 
> {{getReadHeaders.}}
>  
> The fix is straightforward but urgent: the header functionality is completely 
> broken and a security risk to use in production.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)